What should one do?

This is obviously a difficult question to answer. The way to go about this is to weigh the risk vs. the cost and find a balance that makes sense. A common pitfall here is when one factors in ROI (Return on Investment). ROI is a very big deal to businesses however in the security context it doesn’t make much sense to consider ROI. Security is not an investment one makes to get a return just like insurance is not one such investment. An organization should not invest in security with the notion that it will provide income because it will not do that per se. So then what’s the point of security?

Security will help the company avoid downtime, precious man hours as well as property, client and reputation loss. With that in mind what one needs to do is not try to find out the ROI on a security investment but rather the costs that security will help avoid. In a nutshell one must, for each risk, calculate the likeliness of that risk and multiply that with how much it will cost if it occurs. After that you need to calculate how much the security you are planning to implement will reduce that risk and how much costs it will avoid. The difference between these two costs is the baseline you should aim for. Spend more and you’re overspending, spend less and you are incurring losses which can be avoided.

Calculating the cost of the risk

As stated previously calculating the value of a risk is a complex matter that varies from case to case. Each risk can have an impact on a number of different items:

Manpower required to rectify the issue and / or reinstalling systems

Manpower required to indentify how the breach occurred and securing it

When calculating the cost it is important to factor in each and every cost/loss resulting from that risk occurring. What this means is if you suffer a breach and you decide to be on the safe side you will format the server and restore a clean backup to get rid of any malware the hacker might have planted. You might calculate that it takes half a day to restore the backup so the loss is a half day’s wage for the administrator. That’s wrong because if you do that, then you can be sure you will be broken into again as the vulnerability the hacker used to infiltrate the system is still there. At the very least you need to factor the analysis and securing of that vulnerability as well. Then you need to consider the value of the data stored in that system and the analysis, if the attacker has also breached any other internal systems once he reached that server.

Determining the likeliness

The final part of the equation is deciding how likely a certain risk is to occur. This is generally very hard to determine especially because some risks such as random attacks are, by nature, purely random. Some risks are also multistage so to speak. Taking random attacks as an example, the first stage of the risk would be targeted, the second stage would then be if the attack succeeds and a third stage would be if the attacker can get access to anything valuable and what he does with it. As one builds security layers the risk factor will also change by some of the risk becoming less likely to occur.

So what’s the conclusion from all this? Do we need security or is it all FUD?

I work in security so my answer will obviously always be yes. If I am talking to someone on the subject who is undecided I will list all the above points in order to convince him he needs security not because I want to scare him into buying products and support the industry, but because I do believe in what I preach. The only thing I can really do objectively is present the facts and the points to consider. The above article explains what one needs to consider in terms of security and to determine roughly what stands to be lost. Once you do that exercise you can understand what an intrusion will mean and you can decide how much money protecting yourself against that event is really worth.

About the Author: Emmanuel Carabott

Emmanuel Carabott (CISSP) Certified Information Systems Security Professional has been working in the IT field for the past 18 years. He has joined GFI in 1999 where he currently heads the security research team.
Emmanuel is also a contributor to the GFI Blog where he regularly posts articles on various topics of interest to sysadmins and other IT professions focusing primarily on the area of information security.

2 Comments

If you view “security” as a pot of gold at the end of the rainbow then its easy to perceive that it is an endless expense for an unachievable goal.

But when you understand that security is a process (or an element of various processes), not an endpoint, it becomes easier to see real benefits and return on investment.

Emmanuel Carabott April 12, 2010 at 11:31 am

That’s true Paul, however I guess it’s not easy to see security as a process if one is not directly involved in that field.

One has to consider that IT is employed in nearly every business be it a large multinational to a small corner shop. When a business has staff that is trained in security the decision maker will have the neccessary input to make an informed decision, but what happens when a small business is a one man job who might not have the necessary skills?

I think it’s quite possible that some people wouldn’t even know what security really is or have a very limited scope on the definition such as protecting against viruses or just installing a firewall without even knowing what a firewall is.

Hopefully if any such person were to read this article it will help in giving a clearer picture of what security really is and what it involves.